Google offers bigger bucks in Chrome bug hunt

Google's program to pay outsiders who find Chrome security vulnerabilities is working well enough that the company has concluded it's time to add new financial rewards.

"Recently, we've seen a significant drop-off in externally reported Chromium security issues," Chrome programmer Chris Evans said in a blog post yesterday. "This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger."

Thus, Google added a new $1,000 bonus on top of the regular incentive in three circumstances. The bonus applies if a vulnerability is "particularly exploitable" and comes with a demonstration; if it's in an open-source software library used beyond just Chrome; or if the vulnerability is in a stable area of Chrome that Google thought had been already picked clean of bugs.

The vulnerability apparently wasn't a mere idea, but rather an actual attack mechanism, according to Adobe.

"There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious [Microsoft] Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows," Adobe said.